Custom Detection Logic Identifies Evasive Credential Dumping Techniques

June 7, 2024

Executive Summary: DeepSeas MDR+ Custom Detection Logic

The DeepSeas MDR+ custom detection logic identified an evasive series of password dumping activity on one of its Managed Detection & Response (MDR) clients. The DeepSeas MDR+ service deploys custom detection logic to a variety of defensive devices that are monitored as part of the service. The DeepSeas detection engineering crew is dedicated to providing augmented detection coverage and active threat hunting in order to help eliminate detection gaps in customer defensive tools.

Figure 1 – Only DeepSeas custom detection logic hits for password dumping activity shown.

Timeline of Events

On 24 May 2024, at 6:38:14 p.m. UTC-04:00, a DeepSeas client’s file server was detected with HandleKatz on its system, a tool used for extracting credentials from the Local Security Authority Subsystem Service (LSASS) process on Microsoft Windows devices. The malware was detected as multiple trojans under the detections “bzney” and “GenericKD” using the EDR’s built-in antivirus solution. Following this, at 6:38:19 p.m., the attacker attempted to install another trojan. This time it was NanoDump, which was blocked by the EDR platform. After repeated failed attempts to run a trojan on the device, the attacker then tried to run a command utilizing the native Microsoft rundll32.exe program to create a memory dump for lsass.exe, which was also terminated automatically by the EDR software. The command line given was as follows:

cmd.EXe  /Q /c for /f “tokens=1,2 delims= ” %A in (‘”tasklist /fi “Imagename eq lsass.exe” | find “lsass””‘) do rundll32.exe C:\windows\System32\comsvcs.dll, #+000024 %B \Windows\Temp\G4Xn.tmp full

This command first launched a nested cmd.exe shell before utilizing the tasklist command to find processes named lsass.exe. Next, the command filtered the output to contain only lines which hold the term “lsass” before parsing the filtered output to extract the two tokens (%A and %B). Finally, rundll32.exe was executed via comsvcs.dll, a legitimate Microsoft proprietary file which is used to dump the lsass.exe process memory to retrieve credentials, along with additional arguments for each line of filtered output.

After the command line attempt failed, the attacker pulled one more trick from their sleeve. At 6:39:53 p.m., the attacker attempted to use procdump.exe, another native Microsoft tool with LSASS memory dump capture capabilities. After this final attempt failed, the attacker then ceased all further activity on the affected server. After DeepSeas crew members notified our client of all the activity that had occurred, it was determined that the attack was a part of a red team exercise done on behalf of the client and was not carried out by an external, malicious threat actor.

Figure 2 – Full timeline of events via the EDR solution.

EDR Logging

Digging into the details of these previously specified alerts, it was determined that the EDR solution did recognize the memory dumping activities being carried out and tagged the corresponding events. This highlights the need for threat hunting and custom detections to take advantage of existing telemetry to expand detection capabilities.

Figure 3 – Process memory dump detected and classified in MITRE ATT&CK and process techniques section.

The above example provides two instances of this. First, on the left-hand side the MITRE ATT&CK section demonstrates that EDR solution was able to determine that the technique was LSASS memory related, correctly classifying the activity down to the sub-technique level. Second, under the process section’s techniques subsection, the tag clearly shows that the EDR correctly identified a memory process dump.

Indicators of Compromise (IoCs)

The following indicators of compromise are associated with this activity:

Indicator Type Value Notes
MD5 40278bfb0de306ec2b81954c7691eaad MD5 hash of handlekatz.exe
MD5 e5a7d0df12094e9db90242092891b10e MD5 hash of nano.exe, the nanodump component.